CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-59007
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon …

Oct 22, 2025
CVE-2025-58963
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in 7oroof Medcity medcity allows Upload a Web Shell to a Web Server.This issue affects Medcity: from …

Oct 22, 2025
CVE-2025-57870
10.0 CRITICAL

A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated …

Oct 22, 2025
CVE-2025-52758
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy zippy allows Using Malicious Files.This issue affects Zippy: from n/a through <= …

Oct 22, 2025
CVE-2025-49931
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetSearch jet-search allows Blind SQL Injection.This issue affects JetSearch: from …

Oct 22, 2025
CVE-2025-49915
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue …

Oct 22, 2025
CVE-2025-49901
9.8 CRITICAL

Authentication Bypass Using an Alternate Path or Channel vulnerability in quantumcloud Simple Link Directory qc-simple-link-directory allows Authentication Abuse.This issue affects Simple Link Directory: from n/a …

Oct 22, 2025
CVE-2025-49380
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Object Injection.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= …

Oct 22, 2025
CVE-2025-49060
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Wastia wastia allows Upload a Web Shell to a Web Server.This issue affects Wastia: from …

Oct 22, 2025
CVE-2025-48106
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Clanora clanora allows Using Malicious Files.This issue affects Clanora: from n/a through < 1.3.1.

Oct 22, 2025
CVE-2016-15048
9.8 CRITICAL

AMTT Hotel Broadband Operation System (HiBOS) contains an unauthenticated command injection vulnerability in the /manager/radius/server_ping.php endpoint. The application constructs a shell command that includes the …

Oct 22, 2025
CVE-2025-56447
9.8 CRITICAL

TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure.

Oct 22, 2025
CVE-2025-41108
9.8 CRITICAL

The communication protocol implemented in Ghost Robotics Vision 60 v0.27.2 could allow an attacker to send commands to the robot from an external attack station, …

Oct 22, 2025
CVE-2025-41723
9.8 CRITICAL

The importFile SOAP method is vulnerable to a directory traversal attack. An unauthenticated remote attacker bypass the path restriction and upload files to arbitrary locations.

Oct 22, 2025
CVE-2025-62481
9.8 CRITICAL

Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing Administration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated …

Oct 21, 2025
CVE-2025-61757
9.8 CRITICAL KEV

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability …

Oct 21, 2025
CVE-2025-53072
9.8 CRITICAL

Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing Administration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated …

Oct 21, 2025
CVE-2025-53037
9.8 CRITICAL

Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 …

Oct 21, 2025
CVE-2025-60772
9.8 CRITICAL

Improper authentication in the web-based management interface of NETLINK HG322G V1.0.00-231017, allows a remote unauthenticated attacker to escalate privileges and lock out the legitimate administrator …

Oct 21, 2025
CVE-2025-11625
9.8 CRITICAL

Improper host authentication vulnerability in wolfSSH version 1.4.20 and earlier clients that allows authentication bypass and leaking of clients credentials.

Oct 21, 2025
CVE-2025-11624
9.8 CRITICAL

Potential stack buffer overwrite on the SFTP server side when receiving a malicious packet that has a handle size larger than the system handle or …

Oct 21, 2025
CVE-2025-10640
9.8 CRITICAL

An unauthenticated attacker with access to TCP port 12306 of the WorkExaminer server can exploit missing server-side authentication checks to bypass the login prompt in …

Oct 21, 2025
CVE-2025-10916
9.1 CRITICAL

The FormGent WordPress plugin before 1.0.4 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers …

Oct 21, 2025
CVE-2025-7851
9.8 CRITICAL

An attacker may obtain the root shell on the underlying OS system with the restricted conditions on Omada gateways.

Oct 21, 2025
CVE-2025-6542
9.8 CRITICAL

An arbitrary OS command may be executed on the product by a remote unauthenticated attacker.

Oct 21, 2025
CVE-2025-61303
9.8 CRITICAL

Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a vulnerability in its Windows behavioral analysis engine that allows a …

Oct 20, 2025
CVE-2025-8053
9.1 CRITICAL

Insufficient Granularity of Access Control vulnerability in opentext Flipper allows Exploiting Incorrectly Configured Access Control Security Levels. The vulnerability could allow a low privilege user …

Oct 20, 2025
CVE-2025-55086
9.8 CRITICAL

In NetXDuo version before 6.4.4, a networking support module for Eclipse Foundation ThreadX, in the DHCPV6 client there was an unchecked index extracting the server …

Oct 20, 2025
CVE-2025-9574
10.0 CRITICAL

Missing Authentication for Critical Function vulnerability in ABB ALS-mini-s4 IP, ABB ALS-mini-s8 IP.This issue affects . All firmware versions with the Serial Number from 2000 …

Oct 20, 2025
CVE-2025-54957
9.8 CRITICAL

An issue was discovered in Dolby UDC 4.5 through 4.13. A crash of the DD+ decoder process can occur when a malformed DD+ bitstream is …

Oct 20, 2025
CVE-2025-61455
9.8 CRITICAL

SQL Injection vulnerability exists in Bhabishya-123 E-commerce 1.0, specifically within the signup.inc.php endpoint. The application directly incorporates unsanitized user inputs into SQL queries, allowing unauthenticated …

Oct 20, 2025
CVE-2025-61932
9.8 CRITICAL KEV

Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code …

Oct 20, 2025
CVE-2025-11948
9.8 CRITICAL

Document Management System developed by Excellent Infotek has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby …

Oct 20, 2025
CVE-2025-11391
9.8 CRITICAL

The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation …

Oct 18, 2025
CVE-2017-20208
9.8 CRITICAL

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up …

Oct 18, 2025
CVE-2017-20207
9.8 CRITICAL

The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from …

Oct 18, 2025
CVE-2017-20206
9.8 CRITICAL

The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the …

Oct 18, 2025
CVE-2025-62645
9.9 CRITICAL

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows a remote authenticated attacker to obtain a token with administrative privileges for the entire platform …

Oct 17, 2025
CVE-2025-62515
9.8 CRITICAL

pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads() to deserialize …

Oct 17, 2025
CVE-2025-56316
9.8 CRITICAL

A SQL injection vulnerability in the content_title parameter of the /cms/content/list endpoint in MCMS 5.5.0 allows remote attackers to execute arbitrary SQL queries via unsanitized …

Oct 17, 2025
CVE-2025-56221
9.8 CRITICAL

A lack of rate limiting in the login mechanism of SigningHub v8.6.8 allows attackers to bypass authentication via a brute force attack.

Oct 17, 2025
CVE-2025-56218
9.8 CRITICAL

An arbitrary file upload vulnerability in SigningHub v8.6.8 allows attackers to execute arbitrary code via uploading a crafted PDF file.

Oct 17, 2025
CVE-2025-34282
9.1 CRITICAL

ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG …

Oct 17, 2025
CVE-2025-62168
10.0 CRITICAL

Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows …

Oct 17, 2025
CVE-2025-62353
9.8 CRITICAL

A path traversal vulnerability in all versions of the Windsurf IDE enables a threat actor to read and write arbitrary local files in and outside …

Oct 17, 2025
CVE-2025-60279
9.6 CRITICAL

A server-side request forgery (SSRF) vulnerability in Illia Cloud illia-Builder before v4.8.5 allows authenticated users to send arbitrary requests to internal services via the API. …

Oct 17, 2025
CVE-2025-57567
9.1 CRITICAL

A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). …

Oct 17, 2025
CVE-2025-49655
9.8 CRITICAL

Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded …

Oct 17, 2025
CVE-2023-28815
9.8 CRITICAL

Some versions of Hikvision's iSecure Center Product contain insufficient parameter validation, resulting in a command injection vulnerability. Attackers may exploit this to gain platform privileges …

Oct 17, 2025
CVE-2023-28814
9.8 CRITICAL

Some versions of Hikvision's iSecure Center Product have an improper file upload control vulnerability. Due to the improper verification of file to be uploaded, attackers …

Oct 17, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.